ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Signal Group Chat

    Scheduled Pinned Locked Moved Water Closet
    84 Posts 9 Posters 7.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @stacksofplates
      last edited by

      @stacksofplates said in Signal Group Chat:

      @scottalanmiller said in Signal Group Chat:

      @stacksofplates said in Signal Group Chat:

      @dashrender said in Signal Group Chat:

      @stacksofplates said in Signal Group Chat:

      @dashrender said in Signal Group Chat:

      Not thrilled they are bootstrapping connections via phone numbers!

      As scott has mentioned before.. phone numbers are entirely to easy to spoof, they can change because of moves or any reason (granted number mobility has reduced this a lot).

      I would have much rather seen this use email addresses.

      Email addresses are just as easy to “spoof”. I don’t see a difference in that area.

      eh? How do you spoof an email? unless you have the credentials for the email account, you can't gain access to that. But the phone system has shown how easily SS7 can be broken to intercept phone calls and text messages intended for the true person, but instead come to an attacker. That's why 2FA should not use SMS messages as a factor.

      Sure if you're not using VoIP. However I'd argue that the work it takes to leverage that is the same amount of work it takes to gain access to an email address. It also prevents things like generic bots from creating accounts.

      My issue is that in much of the world, phone numbers change hands all the time. So using it for security is a fundamental problem. You might get a new phone number every time you cross a border. It's tied to a physical SIM card, often with zero security.

      You can change your number just like telegram. That has nothing to do with a 2FA code.

      It does if you're using SMS or phone calls as your 2FA - like one of our local hospitals is now... Doc logs into a computer system, the system calls them, the doc answers and presses # to confirm it was them.

      stacksofplatesS 1 Reply Last reply Reply Quote 0
      • bigbearB
        bigbear
        last edited by

        A caveat to group chat on Signal is that so far we all can see each other’s number.

        There’s no group admin and anyone can add someone else - but if someone new joins who is it in my contacts it is a phone number.

        As @Dashrender says it’s not great on privacy. Unimpeachable encryption, but that part kinda sucks...

        1 Reply Last reply Reply Quote 0
        • stacksofplatesS
          stacksofplates @Dashrender
          last edited by

          @dashrender said in Signal Group Chat:

          @stacksofplates said in Signal Group Chat:

          @scottalanmiller said in Signal Group Chat:

          @stacksofplates said in Signal Group Chat:

          @dashrender said in Signal Group Chat:

          @stacksofplates said in Signal Group Chat:

          @dashrender said in Signal Group Chat:

          Not thrilled they are bootstrapping connections via phone numbers!

          As scott has mentioned before.. phone numbers are entirely to easy to spoof, they can change because of moves or any reason (granted number mobility has reduced this a lot).

          I would have much rather seen this use email addresses.

          Email addresses are just as easy to “spoof”. I don’t see a difference in that area.

          eh? How do you spoof an email? unless you have the credentials for the email account, you can't gain access to that. But the phone system has shown how easily SS7 can be broken to intercept phone calls and text messages intended for the true person, but instead come to an attacker. That's why 2FA should not use SMS messages as a factor.

          Sure if you're not using VoIP. However I'd argue that the work it takes to leverage that is the same amount of work it takes to gain access to an email address. It also prevents things like generic bots from creating accounts.

          My issue is that in much of the world, phone numbers change hands all the time. So using it for security is a fundamental problem. You might get a new phone number every time you cross a border. It's tied to a physical SIM card, often with zero security.

          You can change your number just like telegram. That has nothing to do with a 2FA code.

          It does if you're using SMS or phone calls as your 2FA - like one of our local hospitals is now... Doc logs into a computer system, the system calls them, the doc answers and presses # to confirm it was them.

          Huh?

          What does that have to do with this? Scott was talking about moving locations and getting a new number. All I said was you can change your number for the app which sends a new 2FA code to the new number. Not sure what you are getting at here?

          DashrenderD 1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @stacksofplates
            last edited by

            @stacksofplates said in Signal Group Chat:

            @dashrender said in Signal Group Chat:

            @stacksofplates said in Signal Group Chat:

            @scottalanmiller said in Signal Group Chat:

            @stacksofplates said in Signal Group Chat:

            @dashrender said in Signal Group Chat:

            @stacksofplates said in Signal Group Chat:

            @dashrender said in Signal Group Chat:

            Not thrilled they are bootstrapping connections via phone numbers!

            As scott has mentioned before.. phone numbers are entirely to easy to spoof, they can change because of moves or any reason (granted number mobility has reduced this a lot).

            I would have much rather seen this use email addresses.

            Email addresses are just as easy to “spoof”. I don’t see a difference in that area.

            eh? How do you spoof an email? unless you have the credentials for the email account, you can't gain access to that. But the phone system has shown how easily SS7 can be broken to intercept phone calls and text messages intended for the true person, but instead come to an attacker. That's why 2FA should not use SMS messages as a factor.

            Sure if you're not using VoIP. However I'd argue that the work it takes to leverage that is the same amount of work it takes to gain access to an email address. It also prevents things like generic bots from creating accounts.

            My issue is that in much of the world, phone numbers change hands all the time. So using it for security is a fundamental problem. You might get a new phone number every time you cross a border. It's tied to a physical SIM card, often with zero security.

            You can change your number just like telegram. That has nothing to do with a 2FA code.

            It does if you're using SMS or phone calls as your 2FA - like one of our local hospitals is now... Doc logs into a computer system, the system calls them, the doc answers and presses # to confirm it was them.

            Huh?

            What does that have to do with this? Scott was talking about moving locations and getting a new number. All I said was you can change your number for the app which sends a new 2FA code to the new number. Not sure what you are getting at here?

            sure you could change, inside telegram, the listed phone number... but that's only good when you do it. If you're phone is stole (or SIM card cloned) you're screwed until you DO change it.

            stacksofplatesS 1 Reply Last reply Reply Quote 0
            • stacksofplatesS
              stacksofplates @Dashrender
              last edited by

              @dashrender said in Signal Group Chat:

              @stacksofplates said in Signal Group Chat:

              @dashrender said in Signal Group Chat:

              @stacksofplates said in Signal Group Chat:

              @scottalanmiller said in Signal Group Chat:

              @stacksofplates said in Signal Group Chat:

              @dashrender said in Signal Group Chat:

              @stacksofplates said in Signal Group Chat:

              @dashrender said in Signal Group Chat:

              Not thrilled they are bootstrapping connections via phone numbers!

              As scott has mentioned before.. phone numbers are entirely to easy to spoof, they can change because of moves or any reason (granted number mobility has reduced this a lot).

              I would have much rather seen this use email addresses.

              Email addresses are just as easy to “spoof”. I don’t see a difference in that area.

              eh? How do you spoof an email? unless you have the credentials for the email account, you can't gain access to that. But the phone system has shown how easily SS7 can be broken to intercept phone calls and text messages intended for the true person, but instead come to an attacker. That's why 2FA should not use SMS messages as a factor.

              Sure if you're not using VoIP. However I'd argue that the work it takes to leverage that is the same amount of work it takes to gain access to an email address. It also prevents things like generic bots from creating accounts.

              My issue is that in much of the world, phone numbers change hands all the time. So using it for security is a fundamental problem. You might get a new phone number every time you cross a border. It's tied to a physical SIM card, often with zero security.

              You can change your number just like telegram. That has nothing to do with a 2FA code.

              It does if you're using SMS or phone calls as your 2FA - like one of our local hospitals is now... Doc logs into a computer system, the system calls them, the doc answers and presses # to confirm it was them.

              Huh?

              What does that have to do with this? Scott was talking about moving locations and getting a new number. All I said was you can change your number for the app which sends a new 2FA code to the new number. Not sure what you are getting at here?

              sure you could change, inside telegram, the listed phone number... but that's only good when you do it. If you're phone is stole (or SIM card cloned) you're screwed until you DO change it.

              So still don’t know what this has to do with your doctor example. If someone steals your phone, yes you do have a problem? They steal your phone and then use Telegram and pretend to be you? I still do not get at what you are saying?

              I never argued with the fact that it might be nice to use a difference registration method then a phone number. I only ever argued that it’s the same amount of work to hack 2FA either via phone or email.

              scottalanmillerS 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @stacksofplates
                last edited by

                @stacksofplates said in Signal Group Chat:

                I only ever argued that it’s the same amount of work to hack 2FA either via phone or email.

                This is what I don't agree with. Texts and SIMs aren't identifying services, but email is. So it's a different degree to hack because one doesn't require hacking, and the other does.

                stacksofplatesS 1 Reply Last reply Reply Quote 2
                • stacksofplatesS
                  stacksofplates @scottalanmiller
                  last edited by

                  @scottalanmiller said in Signal Group Chat:

                  @stacksofplates said in Signal Group Chat:

                  I only ever argued that it’s the same amount of work to hack 2FA either via phone or email.

                  This is what I don't agree with. Texts and SIMs aren't identifying services, but email is. So it's a different degree to hack because one doesn't require hacking, and the other does.

                  It’s not a long term identification but it is if the number is tied to the device at the time of the 2FA code send.

                  Both of course require hacking. How do you intercept a 2FA code without hacking?

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @stacksofplates
                    last edited by

                    @stacksofplates said in Signal Group Chat:

                    Both of course require hacking. How do you intercept a 2FA code without hacking?

                    By getting the SIM card, being assigned the number, or being in a place like where I worked that all calls and texts going through a third party that reads them first.

                    stacksofplatesS JaredBuschJ 2 Replies Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender
                      last edited by

                      Yes the window of time to take advantage of SMS based 2FA might be small, but it's definitely no so small that a bank account couldn't be drained by a bot in 1/2 second.

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller
                        last edited by

                        There is probably some security that I'm missing here. And I realize that you can often disconnect things after the fact. Which realy just makes it odd that you need a phone in the first place. But if the phone number is used for any ID and verification, that means that if someone gets your old number, and they just test out one of these services, it will hook up to your account automatically and authenticate directly to them, right?

                        bigbearB 1 Reply Last reply Reply Quote 0
                        • bigbearB
                          bigbear @scottalanmiller
                          last edited by

                          @scottalanmiller said in Signal Group Chat:

                          There is probably some security that I'm missing here. And I realize that you can often disconnect things after the fact. Which realy just makes it odd that you need a phone in the first place. But if the phone number is used for any ID and verification, that means that if someone gets your old number, and they just test out one of these services, it will hook up to your account automatically and authenticate directly to them, right?

                          There is an article on Signal website about changing numbers..

                          Once you sign up, you add all other devices using QR code from an existing device.

                          But Telegram as a chat app overall looks way better. Hadnt tried it in a couple years.

                          1 Reply Last reply Reply Quote 0
                          • stacksofplatesS
                            stacksofplates @scottalanmiller
                            last edited by

                            @scottalanmiller said in Signal Group Chat:

                            @stacksofplates said in Signal Group Chat:

                            Both of course require hacking. How do you intercept a 2FA code without hacking?

                            By getting the SIM card, being assigned the number, or being in a place like where I worked that all calls and texts going through a third party that reads them first.

                            Uh two of those three are hacking. “Getting the SIM card is the same as “getting the password”. And a multimillion dollar infrastructure to MITM is exactly hacking.

                            1 Reply Last reply Reply Quote 0
                            • ObsolesceO
                              Obsolesce @scottalanmiller
                              last edited by

                              @scottalanmiller said in Signal Group Chat:

                              @tim_g said in Signal Group Chat:

                              So if I'm registered on Signal with my phone number, as I am now, how is someone going to use my phone number to intercept my messages? Would they have to hack in to T-Mobile reroute things?

                              What if they get your SIM card? And, sorry, but I worked a job where they intercepted all phone calls and texts both for employees and the employees of GE who shared the building. Phone calls are not secured, nor are phone accounts. It's "whoever has physical access to the SIM card or the cellular node."

                              In the real world, I've known thousands of people with their phone calls and texts intercepted most of the time, and that was just the parts we knew about. It's now public that the police intercept that, too.

                              There is no need to hack T-Mobile or do anything crazy. Phones simply don't have that security to need to work around.

                              If someone steals me phone I have bigger things to worry about. They would have to know I'm using signal, then use my SIM card in another phone and set up signal again.

                              If someone stole my phone I would deactivate or disable my SIM card anyways.

                              Nobody is intercepting my signal messages. It's my personal number and my employer has no control.

                              I wouldn't consider your worries realistic for the majority. They are more niche that don't really apply to most people.

                              bigbearB 1 Reply Last reply Reply Quote 0
                              • bigbearB
                                bigbear @Obsolesce
                                last edited by

                                @tim_g said in Signal Group Chat:

                                @scottalanmiller said in Signal Group Chat:

                                @tim_g said in Signal Group Chat:

                                So if I'm registered on Signal with my phone number, as I am now, how is someone going to use my phone number to intercept my messages? Would they have to hack in to T-Mobile reroute things?

                                What if they get your SIM card? And, sorry, but I worked a job where they intercepted all phone calls and texts both for employees and the employees of GE who shared the building. Phone calls are not secured, nor are phone accounts. It's "whoever has physical access to the SIM card or the cellular node."

                                In the real world, I've known thousands of people with their phone calls and texts intercepted most of the time, and that was just the parts we knew about. It's now public that the police intercept that, too.

                                There is no need to hack T-Mobile or do anything crazy. Phones simply don't have that security to need to work around.

                                If someone steals me phone I have bigger things to worry about. They would have to know I'm using signal, then use my SIM card in another phone and set up signal again.

                                If someone stole my phone I would deactivate or disable my SIM card anyways.

                                Nobody is intercepting my signal messages. It's my personal number and my employer has no control.

                                I wouldn't consider your worries realistic for the majority. They are more niche that don't really apply to most people.

                                Its the only app I would trust if I wanted to break the law or do anything scrupulous.

                                I know a lot of politicians are using it these days, lol.

                                1 Reply Last reply Reply Quote 0
                                • JaredBuschJ
                                  JaredBusch
                                  last edited by

                                  You all are fucking stupid.

                                  This entire conversation is going south because @Dashrender is continually conflating shit.

                                  Initial authentication via phone has nothing to do with ongoing security of a service and has nothing to do with a number changing.

                                  @scottalanmiller’s obsession with a phone number not being valid is also just stupid, accurate, yes, but still stupid. Yes some people dispose numbers left and right, but those people are the minority of wireless users.

                                  It also an irrelevant argument because there is no global standard unique identifier that could work for all people. For people with a number that does frequently change, they will have to find and accept the use of some other solution.

                                  I have never heard of any good reliable solution for this that does not tie into one of the existing large content providers such as Google or Facebook.

                                  If you want to continue to rail against the solutions that exist, but rely on a phone number for verification, then provide a concrete example of another robust solution.

                                  scottalanmillerS stacksofplatesS 4 Replies Last reply Reply Quote 2
                                  • scottalanmillerS
                                    scottalanmiller @JaredBusch
                                    last edited by

                                    @jaredbusch said in Signal Group Chat:

                                    @scottalanmiller’s obsession with a phone number not being valid is also just stupid, accurate, yes, but still stupid. Yes some people dispose numbers left and right, but those people are the minority of wireless users.

                                    In the US, yes. But in the rest of the world, most of the world, numbers are fluid.

                                    DashrenderD 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @JaredBusch
                                      last edited by

                                      @jaredbusch said in Signal Group Chat:

                                      It also an irrelevant argument because there is no global standard unique identifier that could work for all people. For people with a number that does frequently change, they will have to find and accept the use of some other solution.

                                      But email is that today.

                                      1 Reply Last reply Reply Quote 1
                                      • scottalanmillerS
                                        scottalanmiller @JaredBusch
                                        last edited by

                                        @jaredbusch said in Signal Group Chat:

                                        If you want to continue to rail against the solutions that exist, but rely on a phone number for verification, then provide a concrete example of another robust solution.

                                        But we did. Email is more secure, tied to a person, and universal.

                                        JaredBuschJ 1 Reply Last reply Reply Quote 0
                                        • DashrenderD
                                          Dashrender @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in Signal Group Chat:

                                          @jaredbusch said in Signal Group Chat:

                                          @scottalanmiller’s obsession with a phone number not being valid is also just stupid, accurate, yes, but still stupid. Yes some people dispose numbers left and right, but those people are the minority of wireless users.

                                          In the US, yes. But in the rest of the world, most of the world, numbers are fluid.

                                          I've had 4 different numbers phone numbers while in Europe - I no longer have any of those numbers. it so cheep to just buy a SIM with 2 GB of data (like $10-20) versus using US based service (with exception of TMo and Google-Fi).

                                          JaredBuschJ 1 Reply Last reply Reply Quote 0
                                          • stacksofplatesS
                                            stacksofplates @JaredBusch
                                            last edited by

                                            @jaredbusch said in Signal Group Chat:

                                            You all are fucking stupid.

                                            This entire conversation is going south because @Dashrender is continually conflating shit.

                                            Initial authentication via phone has nothing to do with ongoing security of a service and has nothing to do with a number changing.

                                            @scottalanmiller’s obsession with a phone number not being valid is also just stupid, accurate, yes, but still stupid. Yes some people dispose numbers left and right, but those people are the minority of wireless users.

                                            It also an irrelevant argument because there is no global standard unique identifier that could work for all people. For people with a number that does frequently change, they will have to find and accept the use of some other solution.

                                            I have never heard of any good reliable solution for this that does not tie into one of the existing large content providers such as Google or Facebook.

                                            If you want to continue to rail against the solutions that exist, but rely on a phone number for verification, then provide a concrete example of another robust solution.

                                            Ya I know better, it’s my fault lol.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 4 / 5
                                            • First post
                                              Last post