Signal Group Chat



  • If anyone has Signal or wants to install it, feel free to invite me and I will add everyone to a group chat, that way everyone can find each other without sharing their phone numbers.

    EDIT: Signal Group Chat sucks compared to Telegram Group Chat. No comparison so join Telegram and feel free to add me (937) 281-8000



  • I officially feel like the middle aged guy that doesn't know all the latest apps the kids are using. Is this from signal.org?



  • @mike-davis said in Signal Group Chat:

    I officially feel like the middle aged guy that doesn't know all the latest apps the kids are using. Is this from signal.org?

    That's the one.



  • @mike-davis said in Signal Group Chat:

    I officially feel like the middle aged guy that doesn't know all the latest apps the kids are using. Is this from signal.org?

    Correct. Just out of complete coincidence, I started Signal.org originally and it’s entirely a separate project. Last summer (2016) Open Whisper Systems bought Signal.org and rights to the mark.

    So I am not affiliated with Signal.org today. You can read about the original project here...

    https://www.theverge.com/2014/3/24/5542504/building-a-cell-network-for-the-zombie-apocalypse



  • Not thrilled they are bootstrapping connections via phone numbers!

    As scott has mentioned before.. phone numbers are entirely to easy to spoof, they can change because of moves or any reason (granted number mobility has reduced this a lot).

    I would have much rather seen this use email addresses.



  • @dashrender said in Signal Group Chat:

    Not thrilled they are bootstrapping connections via phone numbers!

    As scott has mentioned before.. phone numbers are entirely to easy to spoof, they can change because of moves or any reason (granted number mobility has reduced this a lot).

    I would have much rather seen this use email addresses.

    Email addresses are just as easy to “spoof”. I don’t see a difference in that area.



  • @stacksofplates said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    Not thrilled they are bootstrapping connections via phone numbers!

    As scott has mentioned before.. phone numbers are entirely to easy to spoof, they can change because of moves or any reason (granted number mobility has reduced this a lot).

    I would have much rather seen this use email addresses.

    Email addresses are just as easy to “spoof”. I don’t see a difference in that area.

    eh? How do you spoof an email? unless you have the credentials for the email account, you can't gain access to that. But the phone system has shown how easily SS7 can be broken to intercept phone calls and text messages intended for the true person, but instead come to an attacker. That's why 2FA should not use SMS messages as a factor.



  • @dashrender said in Signal Group Chat:

    @stacksofplates said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    Not thrilled they are bootstrapping connections via phone numbers!

    As scott has mentioned before.. phone numbers are entirely to easy to spoof, they can change because of moves or any reason (granted number mobility has reduced this a lot).

    I would have much rather seen this use email addresses.

    Email addresses are just as easy to “spoof”. I don’t see a difference in that area.

    eh? How do you spoof an email? unless you have the credentials for the email account, you can't gain access to that. But the phone system has shown how easily SS7 can be broken to intercept phone calls and text messages intended for the true person, but instead come to an attacker. That's why 2FA should not use SMS messages as a factor.

    Did you serious just say that?



  • Hey, If I'm misunderstanding something, please correct me. Though I will toss in, if email is flying in the clear, then it would be possible for someone to intercept it, and all the folly that goes with it.



  • @dashrender said in Signal Group Chat:

    @stacksofplates said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    Not thrilled they are bootstrapping connections via phone numbers!

    As scott has mentioned before.. phone numbers are entirely to easy to spoof, they can change because of moves or any reason (granted number mobility has reduced this a lot).

    I would have much rather seen this use email addresses.

    Email addresses are just as easy to “spoof”. I don’t see a difference in that area.

    eh? How do you spoof an email? unless you have the credentials for the email account, you can't gain access to that. But the phone system has shown how easily SS7 can be broken to intercept phone calls and text messages intended for the true person, but instead come to an attacker. That's why 2FA should not use SMS messages as a factor.

    Sure if you're not using VoIP. However I'd argue that the work it takes to leverage that is the same amount of work it takes to gain access to an email address. It also prevents things like generic bots from creating accounts.



  • @dashrender said in Signal Group Chat:

    Hey, If I'm misunderstanding something, please correct me.

    Exactly how hard is to to get someone’s email account versus hacking the phone network?



  • @jaredbusch said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    Hey, If I'm misunderstanding something, please correct me.

    Exactly how hard is to to get someone’s email Fred’s versus hacking the phone network?

    I couldn't tell you - but when NIST goes so far as to tell people to stop using SMS for 2FA, that tells you just how bad it must be.



  • @dashrender said in Signal Group Chat:

    Hey, If I'm misunderstanding something, please correct me. Though I will toss in, if email is flying in the clear, then it would be possible for someone to intercept it, and all the folly that goes with it.

    You don't need to "intercept" anything. 1- those are one time codes. They would have to be able to register their app before you and you would notice that. 2 - all you have to do is convince the email provider you are the other person (which also works for phone but that was my point).



  • @dashrender said in Signal Group Chat:

    @jaredbusch said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    Hey, If I'm misunderstanding something, please correct me.

    Exactly how hard is to to get someone’s email Fred’s versus hacking the phone network?

    I couldn't tell you - but when NIST goes so far as to tell people to stop using SMS for 2FA, that tells you just how bad it must be.

    You can receive a phone call. It doesn't have to be SMS.



  • @stacksofplates said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    @jaredbusch said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    Hey, If I'm misunderstanding something, please correct me.

    Exactly how hard is to to get someone’s email Fred’s versus hacking the phone network?

    I couldn't tell you - but when NIST goes so far as to tell people to stop using SMS for 2FA, that tells you just how bad it must be.

    You can receive a phone call. It doesn't have to be SMS.

    And again, that doesn't change the fact that it's a one time code. You would notice immediately if someone registered the code before you. What good does intercepting it do?



  • @stacksofplates said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    @jaredbusch said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    Hey, If I'm misunderstanding something, please correct me.

    Exactly how hard is to to get someone’s email Fred’s versus hacking the phone network?

    I couldn't tell you - but when NIST goes so far as to tell people to stop using SMS for 2FA, that tells you just how bad it must be.

    You can receive a phone call. It doesn't have to be SMS.

    yeah yeah - you guys are saying that since this is a near real time setup, it's less of an issue... sure, there is that, but from a pure security situation, it's still not good.



  • @stacksofplates said in Signal Group Chat:

    @stacksofplates said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    @jaredbusch said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    Hey, If I'm misunderstanding something, please correct me.

    Exactly how hard is to to get someone’s email Fred’s versus hacking the phone network?

    I couldn't tell you - but when NIST goes so far as to tell people to stop using SMS for 2FA, that tells you just how bad it must be.

    You can receive a phone call. It doesn't have to be SMS.

    And again, that doesn't change the fact that it's a one time code. You would notice immediately if someone registered the code before you. What good does intercepting it do?

    would you? would a normal person? It seems like a normal person would say - huh, it's broke, fuck it.. I'll use something else.



  • @dashrender said in Signal Group Chat:

    @stacksofplates said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    @jaredbusch said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    Hey, If I'm misunderstanding something, please correct me.

    Exactly how hard is to to get someone’s email Fred’s versus hacking the phone network?

    I couldn't tell you - but when NIST goes so far as to tell people to stop using SMS for 2FA, that tells you just how bad it must be.

    You can receive a phone call. It doesn't have to be SMS.

    yeah yeah - you guys are saying that since this is a near real time setup, it's less of an issue... sure, there is that, but from a pure security situation, it's still not good.

    I'm saying it's just as bad either way. Email accounts are attacked ALL of the time.



  • @stacksofplates said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    @stacksofplates said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    @jaredbusch said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    Hey, If I'm misunderstanding something, please correct me.

    Exactly how hard is to to get someone’s email Fred’s versus hacking the phone network?

    I couldn't tell you - but when NIST goes so far as to tell people to stop using SMS for 2FA, that tells you just how bad it must be.

    You can receive a phone call. It doesn't have to be SMS.

    yeah yeah - you guys are saying that since this is a near real time setup, it's less of an issue... sure, there is that, but from a pure security situation, it's still not good.

    I'm saying it's just as bad either way. Email accounts are attacked ALL of the time.

    But short of either a breach to the email hoster or figuring out the password, email is much more difficult to breach than the phone system (according to reports - I don't have first hand knowledge) for skilled hackers.



  • @dashrender said in Signal Group Chat:

    @stacksofplates said in Signal Group Chat:

    @stacksofplates said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    @jaredbusch said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    Hey, If I'm misunderstanding something, please correct me.

    Exactly how hard is to to get someone’s email Fred’s versus hacking the phone network?

    I couldn't tell you - but when NIST goes so far as to tell people to stop using SMS for 2FA, that tells you just how bad it must be.

    You can receive a phone call. It doesn't have to be SMS.

    And again, that doesn't change the fact that it's a one time code. You would notice immediately if someone registered the code before you. What good does intercepting it do?

    would you? would a normal person? It seems like a normal person would say - huh, it's broke, fuck it.. I'll use something else.

    So you've introduced this magical person that is using a chat app because of it's security, but would just not notice that the code they just received doesn't work.

    And if they get a message saying they've already used this code, that's a pretty dead giveaway.



  • @stacksofplates said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    @stacksofplates said in Signal Group Chat:

    @stacksofplates said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    @jaredbusch said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    Hey, If I'm misunderstanding something, please correct me.

    Exactly how hard is to to get someone’s email Fred’s versus hacking the phone network?

    I couldn't tell you - but when NIST goes so far as to tell people to stop using SMS for 2FA, that tells you just how bad it must be.

    You can receive a phone call. It doesn't have to be SMS.

    And again, that doesn't change the fact that it's a one time code. You would notice immediately if someone registered the code before you. What good does intercepting it do?

    would you? would a normal person? It seems like a normal person would say - huh, it's broke, fuck it.. I'll use something else.

    So you've introduced this magical person that is using a chat app because of it's security, but would just not notice that the code they just received doesn't work.

    LOL magical person - now you're kidding right? many people use an app not because of security but because their associates/family, etc are using it. So I tell all of my friends and family who could care less about security to use it.. they try, they fail.. they go back to FB chat.. in the meantime I could possibly be tricked into thinking they actually made it, at least for a short time, because I, as the one wanting security, should be confirming those users.

    But now we've taken this to a farce'ish level, mainly because we know that the common user doesen't care about security, those needing/wanting it likely have to use other means to get it anyway.

    Let's just move on and use it here at ML. 🙂



  • @dashrender said in Signal Group Chat:

    @stacksofplates said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    @stacksofplates said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    @jaredbusch said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    Hey, If I'm misunderstanding something, please correct me.

    Exactly how hard is to to get someone’s email Fred’s versus hacking the phone network?

    I couldn't tell you - but when NIST goes so far as to tell people to stop using SMS for 2FA, that tells you just how bad it must be.

    You can receive a phone call. It doesn't have to be SMS.

    yeah yeah - you guys are saying that since this is a near real time setup, it's less of an issue... sure, there is that, but from a pure security situation, it's still not good.

    I'm saying it's just as bad either way. Email accounts are attacked ALL of the time.

    But short of either a breach to the email hoster or figuring out the password, email is much more difficult to breach than the phone system (according to reports - I don't have first hand knowledge) for skilled hackers.

    Again, only if you use cell, not VoIP.

    Also, I don't buy that from the number of times peoples email accounts are breached. Things like MITM from non-HTTPS pages in an email to that specific account (if you don't think something is wrong from a 2FA code, you won't be paying attention to HTTPS), security questions, etc. You don't need to "breach the email provider".



  • @Dashrender i have no idea where the hell you are trying to go with this.

    You are mixing up a couple of things and calling it all stupid.

    Yes, @scottalanmiller has this dislike for things that require a telephone. It is a downside to both Telegram and Signal. With Telegram, once you are connected, which requires a phone number, you can create a username and only give that out. People who find you by username never get you telephone number.

    I have not looked into the details of Signal yet to see how it functions at this level.

    You have my number install Signal, I will show up as I have it setup.



  • So if I'm registered on Signal with my phone number, as I am now, how is someone going to use my phone number to intercept my messages? Would they have to hack in to T-Mobile reroute things?

    I feel like I can trust that more than the security of my email account.



  • @stacksofplates said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    @stacksofplates said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    Not thrilled they are bootstrapping connections via phone numbers!

    As scott has mentioned before.. phone numbers are entirely to easy to spoof, they can change because of moves or any reason (granted number mobility has reduced this a lot).

    I would have much rather seen this use email addresses.

    Email addresses are just as easy to “spoof”. I don’t see a difference in that area.

    eh? How do you spoof an email? unless you have the credentials for the email account, you can't gain access to that. But the phone system has shown how easily SS7 can be broken to intercept phone calls and text messages intended for the true person, but instead come to an attacker. That's why 2FA should not use SMS messages as a factor.

    Sure if you're not using VoIP. However I'd argue that the work it takes to leverage that is the same amount of work it takes to gain access to an email address. It also prevents things like generic bots from creating accounts.

    My issue is that in much of the world, phone numbers change hands all the time. So using it for security is a fundamental problem. You might get a new phone number every time you cross a border. It's tied to a physical SIM card, often with zero security.



  • @stacksofplates said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    @stacksofplates said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    @jaredbusch said in Signal Group Chat:

    @dashrender said in Signal Group Chat:

    Hey, If I'm misunderstanding something, please correct me.

    Exactly how hard is to to get someone’s email Fred’s versus hacking the phone network?

    I couldn't tell you - but when NIST goes so far as to tell people to stop using SMS for 2FA, that tells you just how bad it must be.

    You can receive a phone call. It doesn't have to be SMS.

    yeah yeah - you guys are saying that since this is a near real time setup, it's less of an issue... sure, there is that, but from a pure security situation, it's still not good.

    I'm saying it's just as bad either way. Email accounts are attacked ALL of the time.

    That's totally different. It requires hacking. You don't even need to hack phone numbers to have an issue. Phone numbers change hands as part of the INTENDED use case. Emails identify a person, phone numbers identify a device. It's a fundamentally flawed system akin to using social security numbers as identification - it's simply not an identifying item.



  • @tim_g said in Signal Group Chat:

    So if I'm registered on Signal with my phone number, as I am now, how is someone going to use my phone number to intercept my messages? Would they have to hack in to T-Mobile reroute things?

    I feel like I can trust that more than the security of my email account.

    That's not what I said.



  • @tim_g said in Signal Group Chat:

    So if I'm registered on Signal with my phone number, as I am now, how is someone going to use my phone number to intercept my messages? Would they have to hack in to T-Mobile reroute things?

    What if they get your SIM card? And, sorry, but I worked a job where they intercepted all phone calls and texts both for employees and the employees of GE who shared the building. Phone calls are not secured, nor are phone accounts. It's "whoever has physical access to the SIM card or the cellular node."

    In the real world, I've known thousands of people with their phone calls and texts intercepted most of the time, and that was just the parts we knew about. It's now public that the police intercept that, too.

    There is no need to hack T-Mobile or do anything crazy. Phones simply don't have that security to need to work around.



  • @scottalanmiller said in Signal Group Chat:

    @tim_g said in Signal Group Chat:

    So if I'm registered on Signal with my phone number, as I am now, how is someone going to use my phone number to intercept my messages? Would they have to hack in to T-Mobile reroute things?

    What if they get your SIM card? And, sorry, but I worked a job where they intercepted all phone calls and texts both for employees and the employees of GE who shared the building. Phone calls are not secured, nor are phone accounts. It's "whoever has physical access to the SIM card or the cellular node."

    In the real world, I've known thousands of people with their phone calls and texts intercepted most of the time, and that was just the parts we knew about. It's now public that the police intercept that, too.

    There is no need to hack T-Mobile or do anything crazy. Phones simply don't have that security to need to work around.

    Safety numbers are generated with every contact and of this happens it alerts you to the change...

    https://support.signal.org/hc/en-us/articles/115000267971



  • At least they notify you - I thought I heard somewhere that they didn't notify of number changes unless you enabled that feature.


Log in to reply