Submitted by ActivePersona t3_11b6wx9 in technology
uwu2420 t1_j9y65ub wrote
Reply to comment by drawkbox in Signal CEO: We “1,000% won’t participate” in UK law to weaken encryption by ActivePersona
> You dismiss user level auth
To scrape my Signal messages, you need access to my physical device, and you need my passcode. To get access to iMessage messages, all you need to do is get my latest backup, or the backup of the person I talked to, off of Apple’s servers, for example, with a legal request, which completely bypasses the need for any user level auth/encryption.
Agree to disagree
drawkbox t1_j9y8ajk wrote
> To scrape my Signal messages, you need access to my physical device, and you need my passcode.
Same with getting access to your iCloud/Apple account.
> To get access to iMessage messages, all you need to do is get my latest backup, or the backup of the person I talked to, off of Apple’s servers, for example, with a legal request, which completely bypasses the need for any user level auth/encryption.
As I said, anything stored in a cloud will have some oversight. Anyone that thinks storing something in a cloud is secure from oversight is dim.
If you think anyone from enforcement can just get your iCloud/Apple account, that would also mean they are able to access your device and everything on it including your "encrypted end to end" Signal messages that are plaintext on your client.
Messaging apps also get cam/mic/location/contacts permissions, Signal is no different, one more entity with your face/voice/place/friends.
You can trust Signal, a third party, rock on. Acton is involved in both, from WhatsApp, went to Facebook, and then when people stopped trusting Facebook he made Signal to catch those leaving. The story is he didn't trust Facebook, no one should, but can you trust Signal/Acton or is it a front. You decide. Problem is you trust them so much they got ya. I mean Elon Musk and Edward Snowden recommend it... is must be safe /s. Signal is maybe safe, maybe safe from some five eyes, but not all eyes not in the five. Even then, there are always ways to get in via dependencies and devs (mainly devops) are the weak link today sadly.
Agree to disagree, good discussion though.
uwu2420 t1_j9y8y3c wrote
> Same with getting access to your iCloud/Apple account
No you don’t, because it is stored unencrypted on Apple servers and Apple themselves will give it to you (for example, with a legal request). If you go this route, you don’t need the physical device or any of the user’s passwords. The user won’t even know it’s happened until they are told.
The difference is in one case, my password and my physical device is needed. If you want that, you’ll have to physically get my device from me, and then get me to tell you my passcode. The other is just stored on Apple’s servers. If you don’t see how one is much harder than the other, I dunno what to tell you lol
Edit: no need to believe me, believe American law enforcement instead and refer to the leaked slide I posted earlier.
drawkbox t1_j9y9geb wrote
Unencrypted behind being encrypted by the user context... so yes, not double encrypted. You can encrypt it though.
Messaging apps also get cam/mic/location/contacts permissions, Signal is no different, one more entity with your face/voice/place/friends.
We definitely agreed to disagree.
Viewing a single comment thread. View all comments