This is a fascinating read. Let this sink in: law enforcement compromised the network of a secure chat solution and pushed malware to all endpoints in order to read all the messages. All that on the premise that the majority of the users were criminals, even though some weren't.

· · Web · 2 · 4 · 2

Sure, the strikes against organized crime achieved here are impressive. But this is also scary as the same tools could be (and are being) used against opposition and dissidents for example.

Depending on your country, you can probably trust the current government to do the right thing. But what about the next government? Maybe democratic countries should not be allowed to do this at all, or there should be very strong controls to prevent misuse.

Show thread

This is why an e2e solution like Signal is so important. You can't trust anyone or anything in the middle.

@ScottMortimer But this was also an e2e solution. I'm not sure how law enforcement got malware on these devices but I'd guess that they compromised the update process.

@WPalant My taxes paid for this and I am deeply ashamed. 😐 I think no democracy should deliver a blanket authorization to hack all customers of a solution. Hack suspects, yes. All devices is unacceptable.

@x_cli @WPalant my takeaway from this is they you must not trust "push" updates. Never allow auto updates but always ensure updates are "legit" to the best if your ability before allowing them to install themselves.
Invisible app installs and updates is why I dont trust windoze10.. somedays you can see apps installed that *they* want you to have but you have never heard of or wanted..

@whonose123 Not sure about you, but my "best of your ability" for binary updates is close to zero. And even for non-binary it costs way more time than I can afford. 🙁 @x_cli

@WPalant @x_cli indeed, so there should be some trusted (and competent!) 3rd party that can "approve" updates before they are applied.. That would have stopped "Wannacry" too... Hmmm.. maybe I am going in circles here LOL!

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.