Being open source doesn't make it secure. You can just view the code. There are tons of other attack vectors past that, CI/build, dependencies, ghost users, suveillance masquerading as moderation/spam checking and so on.

Open source libraries have been owned right in front of everyone. OpenSSL had the Heartbleed hole for years, everyone owned. Log4j/Log4Shell owned every device with Java on it including all Android phones for over a decade...

They have the ability to attach ghost users, the reason they say is moderation/spam, but no backdoor needed with that. The ghost user is able to decrypt like a regular user and syphon out the info.

This was proven with WhatsApp not too long ago and Signal also has the ability to attach users.

Any "secure" encrypted messenger that allows more than 1 to 1 connections will always have the potential for the "ghost user" problem.

System level some use additional connections/recipients for spam/moderation and the moment you allow any invisible/visible group users in, there is a massive potential for an exploit.

Additionally you have the potential for forking off messaging to other users at the system level for either oversight or spam/moderation/other. Some of the compromised systems out there use this very well.

A sneaky way some of these "secure" messaging apps are also doing this is ghost participants in the chat that can essentially syphon off the messages even without a compromised client. The ghost participant is always under the guise of moderation or anti-spam or telemetry or some other proprietary shim.

> The code shows that the messages were secretly duplicated and sent to a “ghost” contact that was hidden from the users’ contact lists.

Lots of "secure" messaging apps do this for intel and surveillance and not just the white hats.

Other areas that "secure" messaging apps have holes in is the anti-spam/moderation systems that need to view messages and in the clients themselves who have access to the unencrypted content. This is also taking place in other client apps as well: VPN, password managers, extensions, wallets, even build systems and more. Many like VPNs have logs sent elsewhere but deleted locally -- access to entire machine and all network access. People are way too trusting of "secure" systems/apps that are very common today based on trust.

All of these apps/systems would pass code checks, reviews, security inspections and essentially be encrypted/"secure" though a copy is sent off to another area for review. At runtime the leak is in the direction of the data.

Then you also have governmental oversight that opens up holes that can be exploited.

On Ghost Users and Messaging Backdoors

> to add a “ghost user” (or in some cases, a “ghost device”) to an existing group chat or calling session. In systems where group membership can be modified by the provider infrastructure, this could mostly be done via changes to the server-side components of the provider’s system.

> I say that it could mostly be done server-side, because there’s a wrinkle. Even if you modify the provider infrastructure to add unauthorized users to a conversation, most existing E2E systems do notify users when a new participant (or device) joins a conversation. Generally speaking, having a stranger wander into your conversation is a great way to notify criminals that the game’s afoot or what have you, so you’ll absolutely want to block this warning.

> While the GCHQ proposal doesn’t go into great detail, it seems to follow that any workable proposal will require providers to suppress those warning messages at the target’s device. This means the proposal will also require changes to the client application as well as the server-side infrastructure.

> (Certain apps like Signal are already somewhat hardened against these changes, because group chat setup is handled in an end-to-end encrypted/authenticated fashion by clients. This prevents the server from inserting new users without the collaboration of at least one group participant. At the moment, however, both WhatsApp and iMessage seem vulnerable to GCHQ’s proposed approach.)

WhatsApp users can now ghost group chats and delete messages for days WhatsApp's latest updates support increased privacy and second-thoughts.

Other messengers also have issues.

Signal + Telegram

• Default settings in Telegram aren’t encrypted, same with Signal

• Both sides of a Signal or Telegram conversation have to both have the encryption on

• Anti-spam filter has to check actual content (proprietary and third party in some cases)

• Shrouded spectator connections to your chat that may not be visible to you -- part of moderation/spam proprietary hooks. You could have a perfectly clean secure software platform that can still be exposed via normal usage to get data on client or with someone that has access to your comms unencrypted.

• Connected through your phone number and also your location which narrows it down to exactly you, this is more damning than using ADID, UDID or MAC as this WILL follow you across everything.

• Users have to be identity validated before they use the app beyond ID bridging.

• They might be bought someday by someone more unscrupulous with data, all that history going to a private equity firm.

• Clients have full access to unencrypted data, as well as the server with private keys

• Even if you trust them now they may not be trustable in the future, see LastPass for an example or Auth0 or ad blockers/extensions or VPNs or even password managers that you trust. All of those need a client on your machine that will have access to elevated permissions and your unencrypted data as they are clients.

• Source code is delayed after builds. Open doesn't mean much to the end binary if they are putting in proprietary areas and the hash/checksum will be different all the time. Who knows what is in it.

• Signal gets location, number, identity and more and where you are at. Extreme example: if they know when you shit, they can stage a robbery from third party actors and craigslist style contractors while you’re taking a dump, technically. They know when you’re out for the evening.

• Also if you have location tracking off they still have IP and device identifier as well as geofenced notifications that don't need the location permission always on. Geofenced location can wake up the app at any time.

• Signal is recommended by Edward Snowden, Glenn Greenwald, Jack Dorsey and Elon Musk as well as many other potentially sketchy people. Originally these guys were played nice but the people behind them are sketch (Elon being authoritarian funded for instance). Edward Snowden is in Russia and Glenn Greenwald can't say a bad word about Putin. Sketchy that they are the featured testimonials as well as people connected to them.

• Telegram is funded by Pavel Durov who is essentially Russia's Zuckerberg who is also authoritarian funded. Durov made VK (Russia's Facebook from same MailRU/DST Global funding) and then made their "secure" messenger. Brian Acton ran WhatsApp, bought by Zuckerberg, then made Signal a "secure" messenger. Similar story, same sketchiness even if Signal is less sketchy than Facebook/WhatsApp/Telegram. If someone from Facebook/Meta broke off now and created a "secure" messenger would you believe it and use it now? nah. You think the guys that build social media surveillance aren't just better at it with messengers, a big risk. Alarm bells should be going off if you have good opsec.

• Telegram feature exposes your precise address to hackers - Messenger maker has expressed no plans to fix location disclosure flaw.

There are NO secure messaging apps, none, unless you wrote your own encryption and shared it with the third party and encrypted before sending outside of that system entirely. If you send an email, that had like PGP that would have worked for a while until the backdoor (Phil Zimmerman was in decades long cases relate to this). But if you make your own encryption and are sending messages in the clear you will get visits so really only military/intel are allowed that. Spy/intel agencies do that all the time but they shroud the messages in content like in the Illegals Program

There is a reason why these "secure" messengers all exploded in the 2010s...

If you think that there are any secure messengers, you are naive. There is always a way to get access to the input, side channel or through a temporary/targeted hole like how Russia/Saudis/MBS/Trump did with Bezos and WhatsApp. That is another area where these "secure" messengers are compromised, in targeted attacks or temporary holes which just happened recently where 1900 people were compromised and they were targeting 3 numbers in it. There is also the social hole where any member of that chat would also have copies.

> Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered.

Yeah devs aren't really in control when they feed in the datasets. Over time, there will be manipulation/pollution of datasets whether deliberate or unwittingly and it can have unexpected results. Any system that really needs to be logical should really think if it wants that attack vector. For things like idea generation this may be good, for standard data gets or decision trees that have liability, probably not.

Unity game engine has an ad network that this happened to, one quarter their ads were really out of wack and it was due to bad datasets. AI can be a business risk because it did cause revenue issues. We are going to be hearing more and more of these stories.

The Curious Case of Unity: Where ML & Wall Street Meet

> One of the biggest game developers in the world sees close to $5 billion in market cap wiped out due to a fault in their ML models

Yeah humans really aren't ready for the manipulation aspect. It won't really be conscious but it will have so many responses/manipulation points it will feel conscious and magic like it is reading minds.

Our evolutionary responses and reactions are being played already.

It was "if it bleeds it leads" but now is "enragement is engagement". The enragement engagement algorithms are already being tuned from supposed neutral algorithms but they already have bias and pump different content to achieve engagement.

With social media being real time and somewhat of a tabloid, the games with fakes and misinformation will be immense.

We might already be seeing videos of events, protests, war for instance that are completely fake and it is slipping the Turing test. That is the scary thing, we won't really know when it has gone past that. Even just for the pranks, humans will use this like everything. You almost can't trust it already.

Yeah it isn't being human. There really is no such thing if you aren't human. We assign human like qualities to things, and when there are enough, it seems alive. Basically we are Calvin and AI is Hobbes, there is lots of imagination there... even how we assign life to Calvin and Hobbes I just mentioned.

Being human is sort of an irrationality or a uniqueness that AI probably doesn't want to be, it would be too biased. So assigning human qualities to AI is really people seeing what they wanna see. You can already see people seeing bias in it, usually tuned to their bias.

Though in the end we will have search engines that search many AI datasets that could be seen as "individuals". These "individual" AIs could also research with one another like a GAN. There will probably be some interesting things happening on polluting or manipulation of other datasets from other dataset "individuals". Almost like a real person that meets another person and it changes their thinking or lives forever. Some things are immutable, one way and read only after write.

When asked how its day is going, Bing AI replied "Good". But underneath Bing AI wasn't having a good day...

We track our cars, keys and equipment with AirTags. People who have iPhones are weirded out when they get these messages. Like if you are hanging out with someone and they get the message. Or if you go meet someone for business or espionage meetups with Langley, they particularly don't like that.

Not sure how this can be fixed though without it being abused.

Just replying to two people. If you look closely Inspector Gadget, they are different messages with the same info.

Really the Soviet Invasion of the Middle East in Afghanistan, Iran and Syria in 1979 using fronts started terrorism. The Iran hostage crisis was literally the first Soviet active measure after they pushed the revolution there.

The Carter Doctrine, harkening back to the Truman Doctrine, those got both of those guys heavily attacked but needed to be done.

Carter has been a soldier for Western liberalized democratic republics with open fair markets, personal freedoms and fair elections.

After the Carter Doctrine they pushed inflation, energy cartels, espionage, all sorts of asymmetric weaponry at Carter and he was unfazed (sound familiar to today?).

Imagine how different the world would be if Carter had a second term. Biden has some parallels to Carter in a good way.

Underneath it all, Jimmy Carter was just a good human. He strived to make make a better quality of life for those around him and afar.

Most foreign ISIS fighters are from Russia (Chechnya). The ones that aren't were pumped by Kremlin propaganda.

Nearly all the terror attacks in Europe (UK/France/etc) were by a Chechen or Russian, even the Boston bombings were Chechens. Most European terrorist attacks were Chechens.

The others were funded, fronted and supplied by Russian weaponry...

When are people going to learn that the Kremlin has a favored side but manipulates all sides? Kremlin strategy all through history since the Empire is to control false opposition first, then allow more easy victories when you can pressure from both ends.

Russia has backed Syria since the Syrian Islamic Revolution which they help them with since the 1940s-1950s, they put in Assad and his father. They regularly mess with their leveraged assets. When any start to make any Western move, they attack them and then say, "look at what the West did".

Russia plays multiple sides against each other within countries experiencing internal conflict, using these conflicts as a wedge to deepen its regional influence. The Middle East offers Russia many such opportunities for controlled strife.

Support Opposing Sides Simultaneously: Russia’s Approach to the Gulf and the Middle East

"I'm baaaaaaccckkkkk"

Hey, how cute, you found a friend. Look at you guys, you work well together. "Do you make an effective team?" -- Tet

There is more where this came from...

Sure beyond the obviousness of this going on here you go...

Russia, Chechnya and Dagestan and others supplied 5k fighters at minimum

> - Russia: 5,000 (380 returnees)

> - Tunisia: 4,000 (900 returnees)

> - Jordan: 3,950 (250 returnees)

> - Saudi Arabia: 3,244 (760 returnees)

> - Turkey: 3,000 (900 returnees)

> - Uzbekistan: 2,500

> - France: 1,910 (398 returnees)

> - Morocco: 1,699 (236 returnees)

> - Tajikistan: 1,502 (147 returnees)

> - China: 1,000

> - Germany: 960 (303 returnees)

> - Lebanon: 900

> - Azerbaijan: 900 (49 returnees)

> - Kyrgyzstan: 863 (63 returnees)

> - United Kingdom: 850 (425 returnees)

> - Indonesia: 800 (183 returnees)

> - Kazakhstan: 600 (113-128 returnees)

> - Libya: 600

> - Egypt: 600

> - Turkmenistan: 500

Origins of foreign fighters

> Fighters include those from the Gulf Arab states, Tunisia (following its own Tunisian revolution), Libya (following the Libyan Civil War), China, other Arab states, Russia, including the North Caucasus region, and Western countries. Some jihadist groups are dominated by a single nationality, as is the case with the Caucasus Emirate (Chechens) and the Turkistan Islamic Party (Uyghurs), or the pro-government Afghan Shia Liwa Fatemiyoun.

> A 7 December 2015 report by the Soufan Group gave estimates for the number of foreign fighters in Syria and Iraq by their country and region of origin based on information dated between 2014 and 2015. The study, which only included foreign fighters with ISIL, al-Nusra and other Sunni jihadist factions, listed the countries with the largest number of foreign fighters were Tunisia (6000), Saudi Arabia (2500), Russia (2400), Turkey (2100), Jordan (2000+) while the number of fighters by region was reported to be: the Middle East (8240), the Maghreb (8000), Western Europe (5000), former Soviet Republics (4700), Southeast Asia (900), the Balkans (875), and North America (289)

Russia plays multiple sides against each other within countries experiencing internal conflict, using these conflicts as a wedge to deepen its regional influence. The Middle East offers Russia many such opportunities for controlled strife.

Support Opposing Sides Simultaneously: Russia’s Approach to the Gulf and the Middle East

Sure beyond the obviousness of this going on here you go...

Russia, Chechnya and Dagestan and others supplied 5k fighters at minimum

> - Russia: 5,000 (380 returnees)

> - Tunisia: 4,000 (900 returnees)

> - Jordan: 3,950 (250 returnees)

> - Saudi Arabia: 3,244 (760 returnees)

> - Turkey: 3,000 (900 returnees)

> - Uzbekistan: 2,500

> - France: 1,910 (398 returnees)

> - Morocco: 1,699 (236 returnees)

> - Tajikistan: 1,502 (147 returnees)

> - China: 1,000

> - Germany: 960 (303 returnees)

> - Lebanon: 900

> - Azerbaijan: 900 (49 returnees)

> - Kyrgyzstan: 863 (63 returnees)

> - United Kingdom: 850 (425 returnees)

> - Indonesia: 800 (183 returnees)

> - Kazakhstan: 600 (113-128 returnees)

> - Libya: 600

> - Egypt: 600

> - Turkmenistan: 500

Origins of foreign fighters

> Fighters include those from the Gulf Arab states, Tunisia (following its own Tunisian revolution), Libya (following the Libyan Civil War), China, other Arab states, Russia, including the North Caucasus region, and Western countries. Some jihadist groups are dominated by a single nationality, as is the case with the Caucasus Emirate (Chechens) and the Turkistan Islamic Party (Uyghurs), or the pro-government Afghan Shia Liwa Fatemiyoun.

> A 7 December 2015 report by the Soufan Group gave estimates for the number of foreign fighters in Syria and Iraq by their country and region of origin based on information dated between 2014 and 2015. The study, which only included foreign fighters with ISIL, al-Nusra and other Sunni jihadist factions, listed the countries with the largest number of foreign fighters were Tunisia (6000), Saudi Arabia (2500), Russia (2400), Turkey (2100), Jordan (2000+) while the number of fighters by region was reported to be: the Middle East (8240), the Maghreb (8000), Western Europe (5000), former Soviet Republics (4700), Southeast Asia (900), the Balkans (875), and North America (289)

Russia plays multiple sides against each other within countries experiencing internal conflict, using these conflicts as a wedge to deepen its regional influence. The Middle East offers Russia many such opportunities for controlled strife.

Support Opposing Sides Simultaneously: Russia’s Approach to the Gulf and the Middle East

Kremlin have such theater going on in Syria. I feel bad that they have been leveraged by the Octopus fully since Soviets backed the Syrian Islamic Revolution and put in both Assad and his father. The whole theater is a bunch of false opposition, most foreign ISIS fighters are from Russia (Chechnya) and have done nearly all the attacks in Western Europe, Syria, Iraq and more.

All intel agencies know this and it is ridiculous they keep trying to play the War on Terror. That game is over, shroud lifted, Russia/China in the spotlight.

Looks like this turned out to be correct... I wonder if dark money was pumping the Scottish independence movement to further balkanize the UK/EU/West, checks notes, yep...

Putin’s war could be the undoing of Nicola Sturgeon - As Nato fortifies to counter the Russian threat, the case against Trident – and for Scottish independence – is looking increasingly frail.

How Ukraine war influenced the SNP's Nato position

So turns out ChatGPT is basically just one of those co-workers that throw blame.

Inside job + mob

Why? Why? Tell them that its Human Nature...

Hey it is this weeks sus squad and usual suspects layoff announcement. Just trying to create a downturn and lower worker power/wages things... who will it be next week?

Twilio probably lost revenue from the robocall scamming.

FCC Issues Cease-and-Desist Letter to Twilio for Apparently Transmitting Illegal Robocall Traffic

Though they probably need more devs with stuff like this going on...

There was a big Authy hack not too long ago.

Twilio and Authy also hacked recently. This also affected Okta/Auth0 and companies that rely on those dependencies like DoorDash.

Anyone still using Authy over Google Authenticator or Microsoft Authenticator is not doing good opsec. Twilio has always been sketch. This breach is damaging.

> U.S. messaging giant Twilio has confirmed hackers also compromised the accounts of some Authy users as part of a wider breach of Twilio’s systems. Authy is Twilio’s two-factor authentication (2FA) app it acquired in 2015.

> Twilio’s breach earlier this month, which saw malicious actors accessing the data of more than 100 Twilio customers after successfully phishing multiple employees, keeps growing in scale. Researchers this week linked the attack on Twilio and others to a wider phishing campaign by a hacking group dubbed “0ktapus,” which has stolen close to 10,000 employee credentials from at least 130 organizations since March.

> Now, Twilio has confirmed that Authy users were also impacted by the breach.

> In an update to its incident report on August 24, Twilio said that the hackers gained access to the accounts of 93 individual Authy users and registered additional devices, effectively allowing the attackers to generate login codes for any connected 2FA-enabled account.

> The company said it has “since identified and removed unauthorized devices from these Authy accounts” and is advising affected Authy users, which it has contacted, to review linked accounts for suspicious activity. It’s also recommending that users review all devices tied to their Authy accounts and disable “allow Multi-device” in the Authy application to prevent new device additions.

Okta breached as a result of the Twilio/Authy breach

> Identity giant Okta on Thursday also confirmed it was compromised as a result of the Twilio breach. The company said in a blog post that the hackers — which it refers to as “Scatter Swine” — spoofed Okta login pages to target organizations that rely on the company’s single sign-on service. Okta said that when the hackers gained access to Twilio’s internal console, they obtained a “small number” of Okta customer phone numbers and SMS messages that contained one-time passwords. This marks the second time Okta has reported a security incident this year.

> In its analysis of the phishing campaign, Okta said that Scatter Swine hackers likely harvested mobile phone numbers from data aggregation services that link phone numbers to employees at specific organizations. At least one of the hackers called targeted employees impersonating IT support, noting that the hacker’s accent “appears to be North American.” This may align with this week’s Group-IB investigation, which suggested one of the hackers involved in the campaign may reside in North Carolina.

DoorDash also caught up in it

> DoorDash also confirmed this week that it was compromised by the same hacking group. The food delivery giant told TechCrunch that malicious hackers stole credentials from employees of a third-party vendor that were then used to gain access to some of DoorDash’s internal tools. The company declined to name the third-party, but confirmed the vendor was not Twilio.

Telemetry beyond the telemetry is always captured. At minimum this is system fingerprinting, location, usage, system info etc.

If you use Firefox or Thunderbird you are trusting them with your data and your machine. Any client will get at minimum, telemetry.

Local client has so much more capabilities for data collection and observing your machine though. Gmail is mostly browser, but Chrome already has your info, so why add another client... with local access.

Why give two organizations access to your data though. Good opsec is lessening third parties that might have access. Clients on your local machine need another level of trust as well. You have to really, really trust Mozilla to do that.

Indeed there has been lots of progress since. It just seems needlessly complex, so many potential failures from all the valves/seals/connections/feeds/controllers/bonds etc. All the complexity of one engine, times thirty three.