1/ In case you don't have the context to understand this manifesto, let me explain it to you.

signal.org/blog/cellebrit…
2/ Cellebrite is a product designed for law enforcement to forensically scan Androids and iPhones. Recently, they announced that they've added the ability to forensically scan the Signal app.
3/ Signal, as you'll recall, is the famous end-to-end encrypted app -- meaning that nobody in between the ends can intercept your data, not the FBI, not the NSA, and not even Signal itself.
4/ But "end-to-end" still means vulnerability on the ends, so that if someone can get your (unlocked) phone and analyze the contents, they can get stuff, like saved messages in Signal.
5/ Signal allows automatic expiration (and removal) of old messages that partially mitigates this threat, but it's still a threat. There's no technical defense that Signal can provide against this threat.
6/ BUT THE BEST DEFENSE IS OFFENSE.

(This is the tl;dr of this thread)
7/ The source of most vulnerabilities is the interface between the data pulled in from the outside untrusted world and parsed internally by code. The more types of data a program handles, the larger it's expose to hacks, it's "attack surface".
8/ Since Cellebrite must parse lots of different data formats, it has the largest attack surface of almost anything. It means you can pull data on your phone that, when Cellebrite opens, will hack Cellebrite.
9/ Thus Moxie's manifesto: if Cellebrite continues to try to hack Signal data, Signal will continue to hack Cellebrite.

This is an interesting threat because if Cellebrite is easily hacked, it's data is no longer reliable in court cases.
10/ In other words, when they come for you (and they will), get your phone, and use the Cellebrite evidence against you in a court of law, your defense can call into question the evidence because the Cellebrite data may be altered from a hack.
11/ Thus, Signal promises to keep putting hacked files inside it's data to corrupt Cellebrite. This kinda threatens Cellebrite into backing off.
12/ While this sounds fun, it's actually counter productive. It's just free quality assurance for Cellebrite. They just need to install Signal on their phone, get the latest bug that's been found, and ship an update.
13/ Instead, the actual defense is to publish such a vuln every couple months pointing out that Cellebrite can never be trusted in any court case.
14/ The overall message is "don't fuck with hackers".
(FYI: Use Signal and use Tor -- unless your life depends upon it. In which case, educate yourself on the threats against you and don't listen to simple one sentence advice on the subject and make your own educated decisions).

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Robᵉʳᵗ Graham😷, provocateur

Robᵉʳᵗ Graham😷, provocateur Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ErrataRob

15 Apr
I keep seeing this appear in my timeline. I don't think people understand what Reuters is. It's a news agency. It provides news to professionals. It doesn't provide mass market news.
The customer base is professionals, not the mass market. The mass market willing consumes advertising-driven "clickbait" stories. Professionals are willing to pay a lot more for quality news that isn't agenda drive or clickbait driven.
Well, yes, it's bland vanilla. That's entirely the point. If you want reliable news, rather than ginned up clickbait, then you have to pay for it. Entertainment is cheaper than reliable information.
Read 9 tweets
14 Apr
I have the same questions. Note that I am willing to accept there's good explanations, that there's some law I've missed that explicitly gives them power to do this. It's just that if there isn't, then the FBI's actions are egregious and worthy of outrage.
I deal with sides: law enforcement on one said and cyber anarchists on the other. Law enforcement hates anarchists and see themselves as inherently better, because they believe in following the law.
Except, as it appears here, they didn't. They simply ignored the law, pretending that a search warrant gives them the power to delete files from people's computers. They feel justified in this obvious misreading of the law because their cause is just.
Read 4 tweets
12 Apr
I've boycotted the FSF for 30 years. I'm not sure what new thing that the rest of you have recently discovered that makes you want to boycott them now.
I mean, I do understand. It's the social media pile on effect where a bunch of like minded people get outraged and feel they can successfully bully the FSF into seeing things their way.
I've read letters like the following. It's garbage, indicting Stallman for being nerd, which by definition means he sees things differently.
rms-open-letter.github.io
Read 4 tweets
12 Apr
Everyone is laughing at Ted Nugent for saying "why no lockdowns for COVID-18", but people aren't likewise laughing at tech CEOs for saying "we can do X online but not vote?".

The answer is because a small amount of fraud/mistakes are acceptable for X, but not for voting.
Credit card fraud accounts for like 0.5% of all purchases. Imagine if 0.5% of votes where fraudulent. Uber is full of GPS problems (arriving and getting you to the destination), and drivers routinely game the system to get the most profitable riders.
Moreover, the most important part of the voting system is trust -- trust that the system hasn't been hacked either by foreign hackers or the elites who run/administer it. That's vastly easier to demonstrate with a paper trail than the magic of computers.
Read 6 tweets
9 Apr
How is Musk's tunnel in Las Vegas better than a normal train tunnel.

To answer this, we are going to use what computer scientists call "big-O notation". Tunnels are 𝑶(𝑛²) -- so Musk's trick is to create narrow tunnels.
The effort to dig tunnels depends upon the size of the tunnel -- but this grows faster than you think. Twice the width of the tunnel means FOUR TIMES the effort to dig it. You can see that with the following circles: the larger is twice the width of the 4 smaller ones
Subway tunnels to fit rail cars are often around 28 feet, Elon's trying to get his tunnels below 14 feet. This means creating tunnels with ¼ the effort, a quarter of the cost. Instead of $200million for the Las Vegas project, $50million.
Read 9 tweets
7 Apr
College programming courses are horribad. They are college -- they attempt to teach you the theory of coding rather than practice. Thus, they leave you totally unequipped to actually code.
To be a good coder you need both theory and practice, so I can't say that colleges are wrong in focusing on theory. I'm just saying that you need practice. If you enter college having already practiced, the theory will make much more sense.
If you try to learn coding by picking up a college textbook and all that theory looks like gibberish, drop it and find a book that focuses on practice instead. But later, go back to that college textbook and learn theory. Both are needed.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!