Follow

Celebrate pissed somebody off.

Say what you will about signal but Moxie knows how to make a drop.

signal.org/blog/cellebrite-vul

@drwho next time he skates by tell him “The_gibson says Hack the Planet!”

Show thread

I am adding a toot here to agree with some other takes regarding this. It is very irresponsible of signal to use their user base to do this.

Although, I’m not sure how else they would have accomplished exposing CB’s vulns without benefitting CB. It doesn’t justify the decision.

Show thread

@TheGibson @c0debabe

"Well, you may not like him @deejoe but you can't deny, moxie0 has got *style*"

@thegibson I shall do so. I need to ask him when the next time he's doing a New York Skate through downtown SF will be.

@thegibson "By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me."

Unbelievable indeed.

@thegibson I mean, the general idea of using their technical knowledge to shine transparency on the integrity problems of surveillance devices like Cellebrite is great. It's just the last step goes a step too far into creating harm instead of preventing it.

If it was just a joke, it really sends the wrong message.

If it is for real, it raises a lot of questions about their judgement and stewardship of a project that has the potential to both reduce harms and be used for harm.

@vortex_egg @thegibson I read it as a "we could do this and maybe we will, but maybe not. It's on you to prove." kind of threat. They don't need to actually *do* anything more.

@thegibson
Unless it is just an idle threat. They could claim that they are deploying it on random installs of signal; and celibrite then needs to somehow prove, for EVERY instance their tools are used in a criminal case, that there was never any tampering of reports.

Effectively, the threat itself could be a viable attack against celibrite

@rgegriff @thegibson Slapback: Celebrite alledges to Apple and Google that Signal's software is being used to distribute malware that targets their platform. Google and Apple pull signal from their app stores until the allegations are proven otherwise.

@docskrzyk @rgegriff

Slapback (in the report) Apple’s libraries are being used by cb in violation of licensing agreements. Apple sues Cb into oblivion.

@thegibson @rgegriff slapityslap - Celibrite's code comes into question. Various other Apple and Android exploits found being used in Celebrite. Everybody loses.

I'm guessing this is going to get really interesting really quickly.

@docskrzyk @TheGibson @rgegriff slappity slap slap hand jive - windows mobile CE returns to smartphone market dominance

@djsundog @docskrzyk @TheGibson @rgegriff (street-performer spoon-slapping routine) Nokia N770 and N900 become mobile devices of choice.

@rgegriff @thegibson My biggest gripe with this: What I installed on my phone was billed as a secure messenger, not an exploit payload distribution tool that might randomly recruite my phone to crack other devices. Who knows what situation I will be in when it triggers?

Highly unrealistic hypothetical example: "So... you are traveling to a computer conference and your phone we just randomly 'checked' froze our spying device? You are not boarding that flight, mister."

@TheGibson it can be argued that signal is protecting their userbase by adding a file that deletes the signal database from the cellebrite extracted files using random vulnerabilities in cellebrite software.

I have no idea about the legality of this tbh.

@TheGibson idk, I don’t personally see an issue with distributing innocuous files that just mess with snooping. Maybe an opt out, but tbh I *want* them to put whatever that is on my device, and I don’t even regularly use signal

@thegibson

I'm glad he posted this, and implied that there may be mitigations in place against tools like Cellebrite.

I wonder how this information is going to affect convictions based on seized device data. This could open a door for a huge number of guilty verdicts to be reversed, given that there is no way Cellebrite can prove data remained untampered, given the proof Signal provided.

@bill @thegibson I am of the school of thought that he should have said nothing for as long as possible. Why publicise it?

@thegibson @bill I'm just not convinced putting in writing that he's exploiting a contractor's app suite is a good idea. 'God may forgive you, but the bureaucracy never will'.

@thegibson @bill But Moxie is as vain as he is talented, like so many of his peers.

@thegibson

kmbllaw.com/wp-content/uploads

Cellebrite UFED hardware and software has been independently tested three times by the National Institute of Standards and Technology (NIST) and once by the National Institute of Justice (NIJ) Electronic Crime Technology Center of Excellence (ECTCoE).

VS what dropped today? Goodbye inviolable chain of custody.

Wait until teams start taking apart other LEO IT forensic toolkits...

@bill @thegibson I'm not a lawyer but I feel like a reasonably smart one could use this to call into question all digital forensics tools because the reason the court currently trusts them is these kinds of audits. And yet here we have clear evidence how little those certs are really worth.

@z @bill I have actually dropped a message to my privacy/hacker attorney to get their take on this very thing.

@thegibson @z

Please keep me posted, I'd really like to know what they think.

@z @bill @thegibson
Guess not as public but exploits of this kind of kit have been made public before, just didn't get the same attention.

Remember seeing this last year
nitter.eu/hackerfantastic/stat

And a tweet thread spurred by the Signal post

nitter.eu/hackerfantastic/stat

@dazinism @z @bill

@hackerfantastic has a non-nitter fwiw.

Donated gear to DC502 chapter I run last year. He's an alright guy!

@thegibson @dazinism @z @bill Thanks for the kind words! I agree with what many others are saying here in thread, there was a catalogue of security vulnerabilities and it's not just isolated to Cellebrite products (although the Moxie bug certainly gives legal weight to the data integrity of any case that used Cellebrite software). Those products are expensive, supplied to LE and thus don't get the same set of eyes on them as more widely distributed software. They are all awful with lots of bugs.

@TheGibson I have my complaints about Signal, but damn this is some great stuff haha Props where it's due

@thegibson "By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters."

lmao, whole article is worth it for that one paragraph

@thegibson "Fell from a truck" this is the sassiest post I've ever read. 😂

Sign in to participate in the conversation
hackers.town

A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.