Celebrate pissed somebody off.
Say what you will about signal but Moxie knows how to make a drop.
I like the video clip about half way down.
I am adding a toot here to agree with some other takes regarding this. It is very irresponsible of signal to use their user base to do this.
Although, I’m not sure how else they would have accomplished exposing CB’s vulns without benefitting CB. It doesn’t justify the decision.
@thegibson I shall do so. I need to ask him when the next time he's doing a New York Skate through downtown SF will be.
@thegibson "By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me."
@thegibson you mean a post.
@Meandres I mean a god damned toot!
@thegibson I mean, the general idea of using their technical knowledge to shine transparency on the integrity problems of surveillance devices like Cellebrite is great. It's just the last step goes a step too far into creating harm instead of preventing it.
If it was just a joke, it really sends the wrong message.
If it is for real, it raises a lot of questions about their judgement and stewardship of a project that has the potential to both reduce harms and be used for harm.
@vortex_egg agreed. No arguments.
Unless it is just an idle threat. They could claim that they are deploying it on random installs of signal; and celibrite then needs to somehow prove, for EVERY instance their tools are used in a criminal case, that there was never any tampering of reports.
Effectively, the threat itself could be a viable attack against celibrite
@rgegriff @thegibson My biggest gripe with this: What I installed on my phone was billed as a secure messenger, not an exploit payload distribution tool that might randomly recruite my phone to crack other devices. Who knows what situation I will be in when it triggers?
Highly unrealistic hypothetical example: "So... you are traveling to a computer conference and your phone we just randomly 'checked' froze our spying device? You are not boarding that flight, mister."
@TheGibson it can be argued that signal is protecting their userbase by adding a file that deletes the signal database from the cellebrite extracted files using random vulnerabilities in cellebrite software.
I have no idea about the legality of this tbh.
@qwazix this fully resides in the grey zone.
@TheGibson idk, I don’t personally see an issue with distributing innocuous files that just mess with snooping. Maybe an opt out, but tbh I *want* them to put whatever that is on my device, and I don’t even regularly use signal
I'm glad he posted this, and implied that there may be mitigations in place against tools like Cellebrite.
I wonder how this information is going to affect convictions based on seized device data. This could open a door for a huge number of guilty verdicts to be reversed, given that there is no way Cellebrite can prove data remained untampered, given the proof Signal provided.
@bill I agree.
Cellebrite UFED hardware and software has been independently tested three times by the National Institute of Standards and Technology (NIST) and once by the National Institute of Justice (NIJ) Electronic Crime Technology Center of Excellence (ECTCoE).
VS what dropped today? Goodbye inviolable chain of custody.
Wait until teams start taking apart other LEO IT forensic toolkits...
Remember seeing this last year
And a tweet thread spurred by the Signal post
@thegibson @dazinism @z @bill Thanks for the kind words! I agree with what many others are saying here in thread, there was a catalogue of security vulnerabilities and it's not just isolated to Cellebrite products (although the Moxie bug certainly gives legal weight to the data integrity of any case that used Cellebrite software). Those products are expensive, supplied to LE and thus don't get the same set of eyes on them as more widely distributed software. They are all awful with lots of bugs.
@TheGibson I have my complaints about Signal, but damn this is some great stuff haha Props where it's due
@thegibson "Fell from a truck" this is the sassiest post I've ever read. 😂
A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.